From cb2f7ea96b4f6e03ebf0c0563677745fc65f148e Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sat, 5 May 2018 22:00:01 +0200
Subject: [PATCH] avcodec/fic: Check available input space for cursor

Fixes: out of array read
Fixes: 6546/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FIC_fuzzer-6317064647081984

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/fic.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/fic.c b/libavcodec/fic.c
index 7f70ee47e6..c288c9771b 100644
--- a/libavcodec/fic.c
+++ b/libavcodec/fic.c
@@ -338,6 +338,10 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data,
         skip_cursor = 1;
     }
 
+    if (!skip_cursor && avpkt->size < CURSOR_OFFSET + sizeof(ctx->cursor_buf)) {
+        skip_cursor = 1;
+    }
+
     /* Slice height for all but the last slice. */
     ctx->slice_h = 16 * (ctx->aligned_height >> 4) / nslices;
     if (ctx->slice_h % 16)